idnits 2.17.1 draft-dulaunoy-misp-core-format-12.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) ** There are 11 instances of too long lines in the document, the longest one being 18 characters in excess of 72. ** The abstract seems to contain references ([MISP-P]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (October 21, 2020) is 1281 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'MISP-R' is defined on line 2519, but no explicit reference was found in the text == Unused Reference: 'MISP-T' is defined on line 2523, but no explicit reference was found in the text Summary: 3 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group A. Dulaunoy 3 Internet-Draft A. Iklody 4 Intended status: Informational CIRCL 5 Expires: April 24, 2021 October 21, 2020 7 MISP core format 8 draft-dulaunoy-misp-core-format-12 10 Abstract 12 This document describes the MISP core format used to exchange 13 indicators and threat information between MISP (Open Source Threat 14 Intelligence Sharing Platform formerly known as Malware Information 15 Sharing Platform) instances. The JSON format includes the overall 16 structure along with the semantic associated for each respective key. 17 The format is described to support other implementations which reuse 18 the format and ensuring an interoperability with existing MISP 19 [MISP-P] software and other Threat Intelligence Platforms. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on April 24, 2021. 38 Copyright Notice 40 Copyright (c) 2020 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 56 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 57 2. Format . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2.1. Overview . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.2. Event . . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 2.2.1. Event Attributes . . . . . . . . . . . . . . . . . . 4 61 2.3. Objects . . . . . . . . . . . . . . . . . . . . . . . . . 7 62 2.3.1. Org . . . . . . . . . . . . . . . . . . . . . . . . . 7 63 2.3.2. Orgc . . . . . . . . . . . . . . . . . . . . . . . . 8 64 2.4. Attribute . . . . . . . . . . . . . . . . . . . . . . . . 8 65 2.4.1. Sample Attribute Object . . . . . . . . . . . . . . . 9 66 2.4.2. Attribute Attributes . . . . . . . . . . . . . . . . 9 67 2.5. ShadowAttribute . . . . . . . . . . . . . . . . . . . . . 16 68 2.5.1. Sample Attribute Object . . . . . . . . . . . . . . . 16 69 2.5.2. ShadowAttribute Attributes . . . . . . . . . . . . . 16 70 2.5.3. Org . . . . . . . . . . . . . . . . . . . . . . . . . 22 71 2.6. Object . . . . . . . . . . . . . . . . . . . . . . . . . 23 72 2.6.1. Sample Object . . . . . . . . . . . . . . . . . . . . 23 73 2.6.2. Object Attributes . . . . . . . . . . . . . . . . . . 24 74 2.7. Object References . . . . . . . . . . . . . . . . . . . . 28 75 2.7.1. Sample ObjectReference object . . . . . . . . . . . . 28 76 2.7.2. ObjectReference Attributes . . . . . . . . . . . . . 28 77 2.8. EventReport . . . . . . . . . . . . . . . . . . . . . . . 30 78 2.8.1. id . . . . . . . . . . . . . . . . . . . . . . . . . 31 79 2.8.2. UUID . . . . . . . . . . . . . . . . . . . . . . . . 31 80 2.8.3. event_id . . . . . . . . . . . . . . . . . . . . . . 31 81 2.8.4. name . . . . . . . . . . . . . . . . . . . . . . . . 31 82 2.8.5. content . . . . . . . . . . . . . . . . . . . . . . . 31 83 2.8.6. distribution . . . . . . . . . . . . . . . . . . . . 32 84 2.8.7. sharing_group_id . . . . . . . . . . . . . . . . . . 32 85 2.8.8. timestamp . . . . . . . . . . . . . . . . . . . . . . 32 86 2.8.9. deleted . . . . . . . . . . . . . . . . . . . . . . . 33 87 2.9. Tag . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 88 2.9.1. Sample Tag . . . . . . . . . . . . . . . . . . . . . 33 89 2.10. Sighting . . . . . . . . . . . . . . . . . . . . . . . . 33 90 2.10.1. Sample Sighting . . . . . . . . . . . . . . . . . . 34 91 2.11. Galaxy . . . . . . . . . . . . . . . . . . . . . . . . . 35 92 2.11.1. Sample Galaxy . . . . . . . . . . . . . . . . . . . 35 93 3. JSON Schema . . . . . . . . . . . . . . . . . . . . . . . . . 37 94 4. Manifest . . . . . . . . . . . . . . . . . . . . . . . . . . 51 95 4.1. Format . . . . . . . . . . . . . . . . . . . . . . . . . 51 96 4.1.1. Sample Manifest . . . . . . . . . . . . . . . . . . . 52 98 5. Implementation . . . . . . . . . . . . . . . . . . . . . . . 53 99 6. Security Considerations . . . . . . . . . . . . . . . . . . . 53 100 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 53 101 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 102 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 53 103 9.1. Normative References . . . . . . . . . . . . . . . . . . 54 104 9.2. Informative References . . . . . . . . . . . . . . . . . 54 105 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54 107 1. Introduction 109 Sharing threat information became a fundamental requirements in the 110 Internet, security and intelligence community at large. Threat 111 information can include indicators of compromise, malicious file 112 indicators, financial fraud indicators or even detailed information 113 about a threat actor. MISP [MISP-P] started as an open source 114 project in late 2011 and the MISP format started to be widely used as 115 an exchange format within the community in the past years. The aim 116 of this document is to describe the specification and the MISP core 117 format. 119 1.1. Conventions and Terminology 121 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 122 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 123 document are to be interpreted as described in RFC 2119 [RFC2119]. 125 2. Format 127 2.1. Overview 129 The MISP core format is in the JSON [RFC8259] format. In MISP, an 130 event is composed of a single JSON object. 132 A capitalized key (like Event, Org) represent a data model and a non- 133 capitalised key is just an attribute. This nomenclature can support 134 an implementation to represent the MISP format in another data 135 structure. 137 2.2. Event 139 An event is a simple meta structure scheme where attributes and meta- 140 data are embedded to compose a coherent set of indicators. An event 141 can be composed from an incident, a security analysis report or a 142 specific threat actor analysis. The meaning of an event only depends 143 of the information embedded in the event. 145 2.2.1. Event Attributes 147 2.2.1.1. uuid 149 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 150 the event. The uuid MUST be preserved for any updates or transfer of 151 the same event. UUID version 4 is RECOMMENDED when assigning it to a 152 new event. 154 uuid is represented as a JSON string. uuid MUST be present. 156 2.2.1.2. id 158 id represents the human-readable identifier associated to the event 159 for a specific MISP instance. A human-readable identifier MUST be 160 represented as an unsigned integer. 162 id is represented as a JSON string. id SHALL be present. 164 2.2.1.3. published 166 published represents the event publication state. If the event was 167 published, the published value MUST be true. In any other 168 publication state, the published value MUST be false. 170 published is represented as a JSON boolean. published MUST be 171 present. 173 2.2.1.4. info 175 info represents the information field of the event. info is a free- 176 text value to provide a human-readable summary of the event. info 177 SHOULD NOT be bigger than 256 characters and SHOULD NOT include new- 178 lines. 180 info is represented as a JSON string. info MUST be present. 182 2.2.1.5. threat_level_id 184 threat_level_id represents the threat level. 186 4: 187 Undefined 189 3: 190 Low 192 2: 194 Medium 196 1: 197 High 199 If a higher granularity is required, a MISP taxonomy applied as a Tag 200 SHOULD be preferred. 202 threat_level_id is represented as a JSON string. threat_level_id 203 SHALL be present. 205 2.2.1.6. analysis 207 analysis represents the analysis level. 209 0: 210 Initial 212 1: 213 Ongoing 215 2: 216 Complete 218 If a higher granularity is required, a MISP taxonomy applied as a Tag 219 SHOULD be preferred. 221 analysis is represented as a JSON string. analysis SHALL be present. 223 2.2.1.7. date 225 date represents a reference date to the event in ISO 8601 format 226 (date only: YYYY-MM-DD). This date corresponds to the date the event 227 occurred, which may be in the past. 229 date is represented as a JSON string. date MUST be present. 231 2.2.1.8. timestamp 233 timestamp represents a reference time when the event, or one of the 234 attributes within the event was created, or last updated/edited on 235 the instance. timestamp is expressed in seconds (decimal) since 1st 236 of January 1970 (Unix timestamp). The time zone MUST be UTC. 238 timestamp is represented as a JSON string. timestamp MUST be present. 240 2.2.1.9. publish_timestamp 242 publish_timestamp represents a reference time when the event was 243 published on the instance. published_timestamp is expressed in 244 seconds (decimal) since 1st of January 1970 (Unix timestamp). At 245 each publication of an event, publish_timestamp MUST be updated. The 246 time zone MUST be UTC. If the published_timestamp is present and the 247 published flag is set to false, the publish_timestamp represents the 248 previous publication timestamp. If the event was never published, 249 the published_timestamp MUST be set to 0. 251 publish_timestamp is represented as a JSON string. publish_timestamp 252 MUST be present. 254 2.2.1.10. org_id 256 org_id represents a human-readable identifier referencing an Org 257 object of the organisation which generated the event. A human- 258 readable identifier MUST be represented as an unsigned integer. 260 The org_id MUST be updated when the event is generated by a new 261 instance. 263 org_id is represented as a JSON string. org_id MUST be present. 265 2.2.1.11. orgc_id 267 orgc_id represents a human-readable identifier referencing an Orgc 268 object of the organisation which created the event. 270 The orgc_id and Org object MUST be preserved for any updates or 271 transfer of the same event. 273 orgc_id is represented as a JSON string. orgc_id MUST be present. 275 2.2.1.12. attribute_count 277 attribute_count represents the number of attributes in the event. 278 attribute_count is expressed in decimal. 280 attribute_count is represented as a JSON string. attribute_count 281 SHALL be present. 283 2.2.1.13. distribution 285 distribution represents the basic distribution rules of the event. 286 The system must adhere to the distribution setting for access control 287 and for dissemination of the event. 289 distribution is represented by a JSON string. distribution MUST be 290 present and be one of the following options: 292 0 293 Your Organisation Only 295 1 296 This Community Only 298 2 299 Connected Communities 301 3 302 All Communities 304 4 305 Sharing Group 307 2.2.1.14. sharing_group_id 309 sharing_group_id represents a human-readable identifier referencing a 310 Sharing Group object that defines the distribution of the event, if 311 distribution level "4" is set. A human-readable identifier MUST be 312 represented as an unsigned integer. 314 sharing_group_id is represented by a JSON string and SHOULD be 315 present. If a distribution level other than "4" is chosen the 316 sharing_group_id MUST be set to "0". 318 2.2.1.15. extends_uuid 320 extends_uuid represents which event is extended by this event. The 321 extends_uuid is described as a Universally Unique IDentifier (UUID) 322 [RFC4122] with the UUID of the extended event. 324 extends_uuid is represented as a JSON string. extends_uuid SHOULD be 325 present. 327 2.3. Objects 329 2.3.1. Org 331 An Org object is composed of an uuid, name and id. 333 The uuid represents the Universally Unique IDentifier (UUID) 334 [RFC4122] of the organisation. The organisation UUID is globally 335 assigned to an organisation and SHALL be kept overtime. 337 The name is a readable description of the organisation and SHOULD be 338 present. The id is a human-readable identifier generated by the 339 instance and used as reference in the event. A human-readable 340 identifier MUST be represented as an unsigned integer. 342 uuid, name and id are represented as a JSON string. uuid, name and id 343 MUST be present. 345 2.3.1.1. Sample Org Object 347 "Org": { 348 "id": "2", 349 "name": "CIRCL", 350 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 351 } 353 2.3.2. Orgc 355 An Orgc object is composed of an uuid, name and id. 357 The uuid MUST be preserved for any updates or transfer of the same 358 event. UUID version 4 is RECOMMENDED when assigning it to a new 359 event. The organisation UUID is globally assigned to an organisation 360 and SHALL be kept overtime. 362 The name is a readable description of the organisation and SHOULD be 363 present. The id is a human-readable identifier generated by the 364 instance and used as reference in the event. A human-readable 365 identifier MUST be represented as an unsigned integer. 367 uuid, name and id are represented as a JSON string. uuid, name and id 368 MUST be present. 370 2.4. Attribute 372 Attributes are used to describe the indicators and contextual data of 373 an event. The main information contained in an attribute is made up 374 of a category-type-value triplet, where the category and type give 375 meaning and context to the value. Through the various category-type 376 combinations a wide range of information can be conveyed. 378 A MISP document MUST at least includes category-type-value triplet 379 described in section "Attribute Attributes". 381 2.4.1. Sample Attribute Object 383 "Attribute": { 384 "id": "346056", 385 "type": "comment", 386 "category": "Other", 387 "to_ids": false, 388 "uuid": "57f4f6d9-cd20-458b-84fd-109ec0a83869", 389 "event_id": "3357", 390 "distribution": "5", 391 "timestamp": "1475679332", 392 "comment": "", 393 "sharing_group_id": "0", 394 "deleted": false, 395 "value": "Hello world", 396 "SharingGroup": [], 397 "ShadowAttribute": [], 398 "RelatedAttribute": [], 399 "first_seen": "2019-06-02T22:14:28.711954+00:00", 400 "last_seen": null 401 } 403 2.4.2. Attribute Attributes 405 2.4.2.1. uuid 407 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 408 the event. The uuid MUST be preserved for any updates or transfer of 409 the same event. UUID version 4 is RECOMMENDED when assigning it to a 410 new event. 412 uuid is represented as a JSON string. uuid MUST be present. 414 2.4.2.2. id 416 id represents the human-readable identifier associated to the event 417 for a specific MISP instance. A human-readable identifier MUST be 418 represented as an unsigned integer. 420 id is represented as a JSON string. id SHALL be present. 422 2.4.2.3. type 424 type represents the means through which an attribute tries to 425 describe the intent of the attribute creator, using a list of pre- 426 defined attribute types. 428 type is represented as a JSON string. type MUST be present and it 429 MUST be a valid selection for the chosen category. The list of valid 430 category-type combinations is as follows: 432 Antivirus detection 433 link, comment, text, hex, attachment, other, anonymised 435 Artifacts dropped 436 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 437 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 438 impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, 439 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 440 filename|sha512, filename|sha512/224, filename|sha512/256, 441 filename|sha3-224, filename|sha3-256, filename|sha3-384, 442 filename|sha3-512, filename|authentihash, filename|vhash, 443 filename|ssdeep, filename|tlsh, filename|imphash, 444 filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern- 445 in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, 446 yara, sigma, attachment, malware-sample, named pipe, mutex, 447 windows-scheduled-task, windows-service-name, windows-service- 448 displayname, comment, text, hex, x509-fingerprint-sha1, x509- 449 fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, 450 kusto-query, mime-type, anonymised, pgp-public-key, pgp-private- 451 key 453 Attribution 454 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 455 whois-registrant-email, whois-registrant-name, whois-registrant- 456 org, whois-registrar, whois-creation-date, comment, text, x509- 457 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 458 other, dns-soa-email, anonymised, email 460 External analysis 461 md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, 462 filename, filename|md5, filename|sha1, filename|sha256, 463 filename|sha3-224, filename|sha3-256, filename|sha3-384, 464 filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 465 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 466 regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, 467 pattern-in-traffic, pattern-in-memory, filename-pattern, 468 vulnerability, cpe, weakness, attachment, malware-sample, link, 469 comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 470 fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver- 471 md5, github-repository, other, cortex, anonymised, community-id 473 Financial fraud 474 btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc- 475 number, prtn, phone-number, comment, text, other, hex, anonymised 477 Internal reference 478 text, link, comment, other, hex, anonymised, git-commit-id 480 Network activity 481 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, 482 domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, 483 eppn, url, uri, user-agent, http-method, AS, snort, pattern-in- 484 file, filename-pattern, stix2-pattern, pattern-in-traffic, 485 attachment, comment, text, x509-fingerprint-md5, x509-fingerprint- 486 sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, 487 hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, 488 anonymised, community-id, email-subject 490 Other 491 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 492 float, hex, phone-number, boolean, anonymised, pgp-public-key, 493 pgp-private-key 495 Payload delivery 496 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 497 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 498 impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, 499 filename|md5, filename|sha1, filename|sha224, filename|sha256, 500 filename|sha384, filename|sha512, filename|sha512/224, 501 filename|sha512/256, filename|sha3-224, filename|sha3-256, 502 filename|sha3-384, filename|sha3-512, filename|authentihash, 503 filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, 504 filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- 505 src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, 506 email-src, email-dst, email-subject, email-attachment, email-body, 507 url, user-agent, AS, pattern-in-file, pattern-in-traffic, 508 filename-pattern, stix2-pattern, yara, sigma, mime-type, 509 attachment, malware-sample, link, malware-type, comment, text, 510 hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509- 511 fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, 512 hassh-md5, hasshserver-md5, other, hostname|port, email-dst- 513 display-name, email-src-display-name, email-header, email-reply- 514 to, email-x-mailer, email-mime-boundary, email-thread-index, 515 email-message-id, mobile-application-id, chrome-extension-id, 516 whois-registrant-email, anonymised 518 Payload installation 519 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 520 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 521 impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, 522 filename|md5, filename|sha1, filename|sha224, filename|sha256, 523 filename|sha384, filename|sha512, filename|sha512/224, 524 filename|sha512/256, filename|sha3-224, filename|sha3-256, 525 filename|sha3-384, filename|sha3-512, filename|authentihash, 526 filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, 527 filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- 528 traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, 529 sigma, vulnerability, cpe, weakness, attachment, malware-sample, 530 malware-type, comment, text, hex, x509-fingerprint-sha1, x509- 531 fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, 532 chrome-extension-id, other, mime-type, anonymised 534 Payload type 535 comment, text, other, anonymised 537 Persistence mechanism 538 filename, regkey, regkey|value, comment, text, other, hex, 539 anonymised 541 Person 542 first-name, middle-name, last-name, date-of-birth, place-of-birth, 543 gender, passport-number, passport-country, passport-expiration, 544 redress-number, nationality, visa-number, issue-date-of-the-visa, 545 primary-residence, country-of-residence, special-service-request, 546 frequent-flyer-number, travel-details, payment-details, place- 547 port-of-original-embarkation, place-port-of-clearance, place-port- 548 of-onward-foreign-destination, passenger-name-record-locator- 549 number, comment, text, other, phone-number, identity-card-number, 550 anonymised, email, pgp-public-key, pgp-private-key 552 Social network 553 github-username, github-repository, github-organisation, jabber- 554 id, twitter-id, email, email-src, email-dst, eppn, comment, text, 555 other, whois-registrant-email, anonymised, pgp-public-key, pgp- 556 private-key 558 Support Tool 559 link, text, attachment, comment, other, hex, anonymised 561 Targeting data 562 target-user, target-email, target-machine, target-org, target- 563 location, target-external, comment, anonymised 565 Attributes are based on the usage within their different communities. 566 Attributes can be extended on a regular basis and this reference 567 document is updated accordingly. 569 2.4.2.4. category 571 category represents the intent of what the attribute is describing as 572 selected by the attribute creator, using a list of pre-defined 573 attribute categories. 575 category is represented as a JSON string. category MUST be present 576 and it MUST be a valid selection for the chosen type. The list of 577 valid category-type combinations is mentioned above. 579 2.4.2.5. to_ids 581 to_ids represents whether the attribute is meant to be actionable. 582 Actionable defined attributes that can be used in automated processes 583 as a pattern for detection in Local or Network Intrusion Detection 584 System, log analysis tools or even filtering mechanisms. 586 to_ids is represented as a JSON boolean. to_ids MUST be present. 588 2.4.2.6. event_id 590 event_id represents a human-readable identifier referencing the Event 591 object that the attribute belongs to. A human-readable identifier 592 MUST be represented as an unsigned integer. 594 The event_id SHOULD be updated when the event is imported to reflect 595 the newly created event's id on the instance. 597 event_id is represented as a JSON string. event_id MUST be present. 599 2.4.2.7. distribution 601 distribution represents the basic distribution rules of the 602 attribute. The system must adhere to the distribution setting for 603 access control and for dissemination of the attribute. 605 distribution is represented by a JSON string. distribution MUST be 606 present and be one of the following options: 608 0 609 Your Organisation Only 611 1 612 This Community Only 614 2 615 Connected Communities 617 3 618 All Communities 620 4 621 Sharing Group 623 5 624 Inherit Event 626 2.4.2.8. timestamp 628 timestamp represents a reference time when the attribute was created 629 or last modified. timestamp is expressed in seconds (decimal) since 630 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 632 timestamp is represented as a JSON string. timestamp MUST be present. 634 2.4.2.9. comment 636 comment is a contextual comment field. 638 comment is represented by a JSON string. comment MAY be present. 640 2.4.2.10. sharing_group_id 642 sharing_group_id represents a human-readable identifier referencing a 643 Sharing Group object that defines the distribution of the attribute, 644 if distribution level "4" is set. A human-readable identifier MUST 645 be represented as an unsigned integer. 647 sharing_group_id is represented by a JSON string and SHOULD be 648 present. If a distribution level other than "4" is chosen the 649 sharing_group_id MUST be set to "0". 651 2.4.2.11. deleted 653 deleted represents a setting that allows attributes to be revoked. 654 Revoked attributes are not actionable and exist merely to inform 655 other instances of a revocation. 657 deleted is represented by a JSON boolean. deleted MUST be present. 659 2.4.2.12. data 661 data contains the base64 encoded contents of an attachment or a 662 malware sample. For malware samples, the sample MUST be encrypted 663 using a password protected zip archive, with the password being 664 "infected". 666 data is represented by a JSON string in base64 encoding. data MUST be 667 set for attributes of type malware-sample and attachment. 669 2.4.2.13. RelatedAttribute 671 RelatedAttribute is an array of attributes correlating with the 672 current attribute. Each element in the array represents an JSON 673 object which contains an Attribute dictionnary with the external 674 attributes who correlate. Each Attribute MUST include the id, 675 org_id, info and a value. Only the correlations found on the local 676 instance are shown in RelatedAttribute. 678 RelatedAttribute MAY be present. 680 2.4.2.14. ShadowAttribute 682 ShadowAttribute is an array of shadow attributes that serve as 683 proposals by third parties to alter the containing attribute. The 684 structure of a ShadowAttribute is similar to that of an Attribute, 685 which can be accepted or discarded by the event creator. If 686 accepted, the original attribute containing the shadow attribute is 687 removed and the shadow attribute is converted into an attribute. 689 Each shadow attribute that references an attribute MUST contain the 690 containing attribute's ID in the old_id field and the event's ID in 691 the event_id field. 693 2.4.2.15. value 695 value represents the payload of an attribute. The format of the 696 value is dependent on the type of the attribute. 698 value is represented by a JSON string. value MUST be present. 700 2.4.2.16. first_seen 702 first_seen represents a reference time when the attribute was first 703 seen. first_seen is expressed as an ISO 8601 datetime up to the 704 micro-second with time zone support. 706 first_seen is represented as a JSON string. first_seen MAY be 707 present. 709 2.4.2.17. last_seen 711 last_seen represents a reference time when the attribute was last 712 seen. last_seen is expressed as an ISO 8601 datetime up to the micro- 713 second with time zone support. 715 last_seen is represented as a JSON string. last_seen MAY be present. 717 2.5. ShadowAttribute 719 ShadowAttributes are 3rd party created attributes that either propose 720 to add new information to an event or modify existing information. 721 They are not meant to be actionable until the event creator accepts 722 them - at which point they will be converted into attributes or 723 modify an existing attribute. 725 They are similar in structure to Attributes but additionally carry a 726 reference to the creator of the ShadowAttribute as well as a 727 revocation flag. 729 2.5.1. Sample Attribute Object 731 "ShadowAttribute": { 732 "id": "8", 733 "type": "ip-src", 734 "category": "Network activity", 735 "to_ids": false, 736 "uuid": "57d475f1-da78-4569-89de-1458c0a83869", 737 "event_uuid": "57d475e6-41c4-41ca-b450-145ec0a83869", 738 "event_id": "9", 739 "old_id": "319", 740 "comment": "", 741 "org_id": "1", 742 "proposal_to_delete": false, 743 "value": "5.5.5.5", 744 "deleted": false, 745 "Org": { 746 "id": "1", 747 "name": "MISP", 748 "uuid": "568cce5a-0c80-412b-8fdf-1ffac0a83869" 749 }, 750 "first_seen": "2019-06-02T22:14:28.711954+00:00", 751 "last_seen": null 752 } 754 2.5.2. ShadowAttribute Attributes 756 2.5.2.1. uuid 758 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 759 the event. The uuid MUST be preserved for any updates or transfer of 760 the same event. UUID version 4 is RECOMMENDED when assigning it to a 761 new event. 763 uuid is represented as a JSON string. uuid MUST be present. 765 2.5.2.2. id 767 id represents the human-readable identifier associated to the event 768 for a specific MISP instance. human-readable identifier MUST be 769 represented as an unsigned integer. id is represented as a JSON 770 string. id SHALL be present. 772 2.5.2.3. type 774 type represents the means through which an attribute tries to 775 describe the intent of the attribute creator, using a list of pre- 776 defined attribute types. 778 type is represented as a JSON string. type MUST be present and it 779 MUST be a valid selection for the chosen category. The list of valid 780 category-type combinations is as follows: 782 Antivirus detection 783 link, comment, text, hex, attachment, other, anonymised 785 Artifacts dropped 786 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 787 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 788 impfuzzy, authentihash, vhash, cdhash, filename, filename|md5, 789 filename|sha1, filename|sha224, filename|sha256, filename|sha384, 790 filename|sha512, filename|sha512/224, filename|sha512/256, 791 filename|sha3-224, filename|sha3-256, filename|sha3-384, 792 filename|sha3-512, filename|authentihash, filename|vhash, 793 filename|ssdeep, filename|tlsh, filename|imphash, 794 filename|impfuzzy, filename|pehash, regkey, regkey|value, pattern- 795 in-file, pattern-in-memory, filename-pattern, pdb, stix2-pattern, 796 yara, sigma, attachment, malware-sample, named pipe, mutex, 797 windows-scheduled-task, windows-service-name, windows-service- 798 displayname, comment, text, hex, x509-fingerprint-sha1, x509- 799 fingerprint-md5, x509-fingerprint-sha256, other, cookie, gene, 800 kusto-query, mime-type, anonymised, pgp-public-key, pgp-private- 801 key 803 Attribution 804 threat-actor, campaign-name, campaign-id, whois-registrant-phone, 805 whois-registrant-email, whois-registrant-name, whois-registrant- 806 org, whois-registrar, whois-creation-date, comment, text, x509- 807 fingerprint-sha1, x509-fingerprint-md5, x509-fingerprint-sha256, 808 other, dns-soa-email, anonymised, email 810 External analysis 811 md5, sha1, sha256, sha3-224, sha3-256, sha3-384, sha3-512, 812 filename, filename|md5, filename|sha1, filename|sha256, 813 filename|sha3-224, filename|sha3-256, filename|sha3-384, 814 filename|sha3-512, ip-src, ip-dst, ip-dst|port, ip-src|port, mac- 815 address, mac-eui-64, hostname, domain, domain|ip, url, user-agent, 816 regkey, regkey|value, AS, snort, bro, zeek, pattern-in-file, 817 pattern-in-traffic, pattern-in-memory, filename-pattern, 818 vulnerability, cpe, weakness, attachment, malware-sample, link, 819 comment, text, x509-fingerprint-sha1, x509-fingerprint-md5, x509- 820 fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, hasshserver- 821 md5, github-repository, other, cortex, anonymised, community-id 823 Financial fraud 824 btc, dash, xmr, iban, bic, bank-account-nr, aba-rtn, bin, cc- 825 number, prtn, phone-number, comment, text, other, hex, anonymised 827 Internal reference 828 text, link, comment, other, hex, anonymised, git-commit-id 830 Network activity 831 ip-src, ip-dst, ip-dst|port, ip-src|port, port, hostname, domain, 832 domain|ip, mac-address, mac-eui-64, email, email-dst, email-src, 833 eppn, url, uri, user-agent, http-method, AS, snort, pattern-in- 834 file, filename-pattern, stix2-pattern, pattern-in-traffic, 835 attachment, comment, text, x509-fingerprint-md5, x509-fingerprint- 836 sha1, x509-fingerprint-sha256, ja3-fingerprint-md5, hassh-md5, 837 hasshserver-md5, other, hex, cookie, hostname|port, bro, zeek, 838 anonymised, community-id, email-subject 840 Other 841 comment, text, other, size-in-bytes, counter, datetime, cpe, port, 842 float, hex, phone-number, boolean, anonymised, pgp-public-key, 843 pgp-private-key 845 Payload delivery 846 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 847 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 848 impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, 849 filename|md5, filename|sha1, filename|sha224, filename|sha256, 850 filename|sha384, filename|sha512, filename|sha512/224, 851 filename|sha512/256, filename|sha3-224, filename|sha3-256, 852 filename|sha3-384, filename|sha3-512, filename|authentihash, 853 filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, 854 filename|impfuzzy, filename|pehash, mac-address, mac-eui-64, ip- 855 src, ip-dst, ip-dst|port, ip-src|port, hostname, domain, email, 856 email-src, email-dst, email-subject, email-attachment, email-body, 857 url, user-agent, AS, pattern-in-file, pattern-in-traffic, 858 filename-pattern, stix2-pattern, yara, sigma, mime-type, 859 attachment, malware-sample, link, malware-type, comment, text, 860 hex, vulnerability, cpe, weakness, x509-fingerprint-sha1, x509- 861 fingerprint-md5, x509-fingerprint-sha256, ja3-fingerprint-md5, 862 hassh-md5, hasshserver-md5, other, hostname|port, email-dst- 863 display-name, email-src-display-name, email-header, email-reply- 864 to, email-x-mailer, email-mime-boundary, email-thread-index, 865 email-message-id, mobile-application-id, chrome-extension-id, 866 whois-registrant-email, anonymised 868 Payload installation 869 md5, sha1, sha224, sha256, sha384, sha512, sha512/224, sha512/256, 870 sha3-224, sha3-256, sha3-384, sha3-512, ssdeep, imphash, telfhash, 871 impfuzzy, authentihash, vhash, pehash, tlsh, cdhash, filename, 872 filename|md5, filename|sha1, filename|sha224, filename|sha256, 873 filename|sha384, filename|sha512, filename|sha512/224, 874 filename|sha512/256, filename|sha3-224, filename|sha3-256, 875 filename|sha3-384, filename|sha3-512, filename|authentihash, 876 filename|vhash, filename|ssdeep, filename|tlsh, filename|imphash, 877 filename|impfuzzy, filename|pehash, pattern-in-file, pattern-in- 878 traffic, pattern-in-memory, filename-pattern, stix2-pattern, yara, 879 sigma, vulnerability, cpe, weakness, attachment, malware-sample, 880 malware-type, comment, text, hex, x509-fingerprint-sha1, x509- 881 fingerprint-md5, x509-fingerprint-sha256, mobile-application-id, 882 chrome-extension-id, other, mime-type, anonymised 884 Payload type 885 comment, text, other, anonymised 887 Persistence mechanism 888 filename, regkey, regkey|value, comment, text, other, hex, 889 anonymised 891 Person 892 first-name, middle-name, last-name, date-of-birth, place-of-birth, 893 gender, passport-number, passport-country, passport-expiration, 894 redress-number, nationality, visa-number, issue-date-of-the-visa, 895 primary-residence, country-of-residence, special-service-request, 896 frequent-flyer-number, travel-details, payment-details, place- 897 port-of-original-embarkation, place-port-of-clearance, place-port- 898 of-onward-foreign-destination, passenger-name-record-locator- 899 number, comment, text, other, phone-number, identity-card-number, 900 anonymised, email, pgp-public-key, pgp-private-key 902 Social network 903 github-username, github-repository, github-organisation, jabber- 904 id, twitter-id, email, email-src, email-dst, eppn, comment, text, 905 other, whois-registrant-email, anonymised, pgp-public-key, pgp- 906 private-key 908 Support Tool 909 link, text, attachment, comment, other, hex, anonymised 911 Targeting data 912 target-user, target-email, target-machine, target-org, target- 913 location, target-external, comment, anonymised 915 Attributes are based on the usage within their different communities. 916 Attributes can be extended on a regular basis and this reference 917 document is updated accordingly. 919 2.5.2.4. category 921 category represents the intent of what the attribute is describing as 922 selected by the attribute creator, using a list of pre-defined 923 attribute categories. 925 category is represented as a JSON string. category MUST be present 926 and it MUST be a valid selection for the chosen type. The list of 927 valid category-type combinations is mentioned above. 929 2.5.2.5. to_ids 931 to_ids represents whether the Attribute to be created if the 932 ShadowAttribute is accepted is meant to be actionable. Actionable 933 defined attributes that can be used in automated processes as a 934 pattern for detection in Local or Network Intrusion Detection System, 935 log analysis tools or even filtering mechanisms. 937 to_ids is represented as a JSON boolean. to_ids MUST be present. 939 2.5.2.6. event_id 941 event_id represents a human-readable identifier referencing the Event 942 object that the ShadowAttribute belongs to. 944 The event_id SHOULD be updated when the event is imported to reflect 945 the newly created event's id on the instance. 947 event_id is represented as a JSON string. event_id MUST be present. 949 2.5.2.7. old_id 951 old_id represents a human-readable identifier referencing the 952 Attribute object that the ShadowAttribute belongs to. A 953 ShadowAttribute can this way target an existing Attribute, implying 954 that it is a proposal to modify an existing Attribute, or 955 alternatively it can be a proposal to create a new Attribute for the 956 containing Event. 958 The old_id SHOULD be updated when the event is imported to reflect 959 the newly created Attribute's id on the instance. Alternatively, if 960 the ShadowAttribute proposes the creation of a new Attribute, it 961 should be set to 0. 963 old_id is represented as a JSON string. old_id MUST be present. 965 2.5.2.8. timestamp 967 timestamp represents a reference time when the attribute was created 968 or last modified. timestamp is expressed in seconds (decimal) since 969 1st of January 1970 (Unix timestamp). The time zone MUST be UTC. 971 timestamp is represented as a JSON string. timestamp MUST be present. 973 2.5.2.9. comment 975 comment is a contextual comment field. 977 comment is represented by a JSON string. comment MAY be present. 979 2.5.2.10. org_id 981 org_id represents a human-readable identifier referencing the 982 proposal creator's Organisation object. A human-readable identifier 983 MUST be represented as an unsigned integer. 985 Whilst attributes can only be created by the event creator 986 organisation, shadow attributes can be created by third parties. 987 org_id tracks the creator organisation. 989 org_id is represented by a JSON string and MUST be present. 991 2.5.2.11. proposal_to_delete 993 proposal_to_delete is a boolean flag that sets whether the shadow 994 attribute proposes to alter an attribute, or whether it proposes to 995 remove it completely. 997 Accepting a shadow attribute with this flag set will remove the 998 target attribute. 1000 proposal_to_delete is a JSON boolean and it MUST be present. If 1001 proposal_to_delete is set to true, old_id MUST NOT be 0. 1003 2.5.2.12. deleted 1005 deleted represents a setting that allows shadow attributes to be 1006 revoked. Revoked shadow attributes only serve to inform other 1007 instances that the shadow attribute is no longer active. 1009 deleted is represented by a JSON boolean. deleted SHOULD be present. 1011 2.5.2.13. data 1013 data contains the base64 encoded contents of an attachment or a 1014 malware sample. For malware samples, the sample MUST be encrypted 1015 using a password protected zip archive, with the password being 1016 "infected". 1018 data is represented by a JSON string in base64 encoding. data MUST be 1019 set for shadow attributes of type malware-sample and attachment. 1021 2.5.2.14. first_seen 1023 first_seen represents a reference time when the attribute was first 1024 seen. first_seen as an ISO 8601 datetime up to the micro-second with 1025 time zone support. 1027 first_seen is represented as a JSON string. first_seen MAY be 1028 present. 1030 2.5.2.15. last_seen 1032 last_seen represents a reference time when the attribute was last 1033 seen. last_seen as an ISO 8601 datetime up to the micro-second with 1034 time zone support. 1036 last_seen is represented as a JSON string. last_seen MAY be present. 1038 2.5.3. Org 1040 An Org object is composed of an uuid, name and id. 1042 The uuid represents the Universally Unique IDentifier (UUID) 1043 [RFC4122] of the organization. The organization UUID is globally 1044 assigned to an organization and SHALL be kept overtime. 1046 The name is a readable description of the organization and SHOULD be 1047 present. The id is a human-readable identifier generated by the 1048 instance and used as reference in the event. A human-readable 1049 identifier MUST be represented as an unsigned integer. 1051 uuid, name and id are represented as a JSON string. uuid, name and id 1052 MUST be present. 1054 2.5.3.1. Sample Org Object 1056 "Org": { 1057 "id": "2", 1058 "name": "CIRCL", 1059 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 1060 } 1062 2.5.3.2. value 1064 value represents the payload of an attribute. The format of the 1065 value is dependent on the type of the attribute. 1067 value is represented by a JSON string. value MUST be present. 1069 2.6. Object 1071 Objects serve as a contextual bond between a list of attributes 1072 within an event. Their main purpose is to describe more complex 1073 structures than can be described by a single attribute Each object is 1074 created using an Object Template and carries the meta-data of the 1075 template used for its creation within. Objects belong to a meta- 1076 category and are defined by a name. 1078 The schema used is described by the template_uuid and 1079 template_version fields. 1081 A MISP document containing an Object MUST contain a name, a meta- 1082 category, a description, a template_uuid and a template_version as 1083 described in the "Object Attributes" section. 1085 2.6.1. Sample Object 1086 "Object": { 1087 "id": "588", 1088 "name": "file", 1089 "meta-category": "file", 1090 "description": "File object describing a file with meta-information", 1091 "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", 1092 "template_version": "3", 1093 "event_id": "56", 1094 "uuid": "398b0094-0384-4c48-9bf0-22b3dff9c4d3", 1095 "timestamp": "1505747965", 1096 "distribution": "5", 1097 "sharing_group_id": "0", 1098 "comment": "", 1099 "deleted": false, 1100 "ObjectReference": [], 1101 "Attribute": [ 1102 { 1103 "id": "7822", 1104 "type": "filename", 1105 "category": "Payload delivery", 1106 "to_ids": true, 1107 "uuid": "59bfe3fb-bde0-4dfe-b5b1-2b10a07724d1", 1108 "event_id": "56", 1109 "distribution": "0", 1110 "timestamp": "1505747963", 1111 "comment": "", 1112 "sharing_group_id": "0", 1113 "deleted": false, 1114 "disable_correlation": false, 1115 "object_id": "588", 1116 "object_relation": "filename", 1117 "value": "StarCraft.exe", 1118 "ShadowAttribute": [], 1119 "first_seen": null, 1120 "last_seen": null 1121 }, 1122 "first_seen": "2019-06-02T22:14:28.711954+00:00", 1123 "last_seen": null 1124 ] 1125 } 1127 Figure 1 1129 2.6.2. Object Attributes 1130 2.6.2.1. uuid 1132 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1133 the object. The uuid MUST be preserved for any updates or transfer 1134 of the same object. UUID version 4 is RECOMMENDED when assigning it 1135 to a new object. 1137 2.6.2.2. id 1139 id represents the human-readable identifier associated to the object 1140 for a specific MISP instance. A human-readable identifier MUST be 1141 represented as an unsigned integer. 1143 id is represented as a JSON string. id SHALL be present. 1145 2.6.2.3. name 1147 name represents the human-readable name of the object describing the 1148 intent of the object package. 1150 name is represented as a JSON string. name MUST be present 1152 2.6.2.4. meta-category 1154 meta-category represents the sub-category of objects that the given 1155 object belongs to. meta-categories are not tied to a fixed list of 1156 options but can be created on the fly. 1158 meta-category is represented as a JSON string. meta-category MUST be 1159 present 1161 2.6.2.5. description 1163 description is a human-readable description of the given object type, 1164 as derived from the template used for creation. 1166 description is represented as a JSON string. id SHALL be present. 1168 2.6.2.6. template_uuid 1170 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1171 the template used to create the object. The uuid MUST be preserved 1172 to preserve the object's association with the correct template used 1173 for creation. UUID version 4 is RECOMMENDED when assigning it to a 1174 new object. 1176 2.6.2.7. template_version 1178 template_version represents a numeric incrementing version of the 1179 template used to create the object. It is used to associate the 1180 object to the correct version of the template and together with the 1181 template_uuid forms an association to the correct template type and 1182 version. 1184 version is represented as a JSON string. version MUST be present. 1186 2.6.2.8. event_id 1188 event_id represents the human-readable identifier of the event that 1189 the object belongs to on a specific MISP instance. A human-readable 1190 identifier MUST be represented as an unsigned integer. 1192 event_id is represented as a JSON string. event_id SHALL be present. 1194 2.6.2.9. timestamp 1196 timestamp represents a reference time when the object was created or 1197 last modified. timestamp is expressed in seconds (decimal) since 1st 1198 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1200 timestamp is represented as a JSON string. timestamp MUST be present. 1202 2.6.2.10. distribution 1204 distribution represents the basic distribution rules of the object. 1205 The system must adhere to the distribution setting for access control 1206 and for dissemination of the object. 1208 distribution is represented by a JSON string. distribution MUST be 1209 present and be one of the following options: 1211 0 1212 Your Organisation Only 1214 1 1215 This Community Only 1217 2 1218 Connected Communities 1220 3 1221 All Communities 1223 4 1224 Sharing Group 1226 2.6.2.11. sharing_group_id 1228 sharing_group_id represents a human-readable identifier referencing a 1229 Sharing Group object that defines the distribution of the object, if 1230 distribution level "4" is set. A human-readable identifier MUST be 1231 represented as an unsigned integer. 1233 sharing_group_id is represented by a JSON string and SHOULD be 1234 present. If a distribution level other than "4" is chosen the 1235 sharing_group_id MUST be set to "0". 1237 2.6.2.12. comment 1239 comment is a contextual comment field. 1241 comment is represented by a JSON string. comment MAY be present. 1243 2.6.2.13. deleted 1245 deleted represents a setting that allows attributes to be revoked. 1246 Revoked attributes are not actionable and exist merely to inform 1247 other instances of a revocation. 1249 deleted is represented by a JSON boolean. deleted MUST be present. 1251 2.6.2.14. Attribute 1253 Attribute is an array of attributes that describe the object with 1254 data. 1256 Each attribute in an object MUST contain the parent event's ID in the 1257 event_id field and the parent object's ID in the object_id field. 1259 2.6.2.15. first_seen 1261 first_seen represents a reference time when the object was first 1262 seen. first_seen as an ISO 8601 datetime up to the micro-second with 1263 time zone support. 1265 first_seen is represented as a JSON string. first_seen MAY be 1266 present. 1268 2.6.2.16. last_seen 1270 last_seen represents a reference time when the object was last seen. 1271 last_seen as an ISO 8601 datetime up to the micro-second with time 1272 zone support. 1274 last_seen is represented as a JSON string. last_seen MAY be present. 1276 2.7. Object References 1278 Object References serve as a logical link between an Object and 1279 another referenced Object or Attribute. The relationship is 1280 categorised by an enumerated value from a fixed vocabulary. 1282 The relationship_type is recommended to be taken from the MISP object 1283 relationship list [[MISP-R]] is RECOMMENDED to ensure a coherent 1284 naming of the tags 1286 All Object References MUST contain an object_uuid, a referenced_uuid 1287 and a relationship type. 1289 2.7.1. Sample ObjectReference object 1291 "ObjectReference": { 1292 "id": "195", 1293 "uuid": "59c21a2c-c0ac-4083-93b3-363da07724d1", 1294 "timestamp": "1505892908", 1295 "object_id": "591", 1296 "event_id": "113", 1297 "referenced_id": "590", 1298 "referenced_type": "1", 1299 "relationship_type": "derived-from", 1300 "comment": "", 1301 "deleted": false, 1302 "object_uuid": "59c1134d-8a40-4c14-ad94-0f7ba07724d1", 1303 "referenced_uuid": "59c1133c-9adc-4d06-a34b-0f7ca07724d1", 1304 } 1306 2.7.2. ObjectReference Attributes 1308 2.7.2.1. uuid 1310 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1311 the object reference. The uuid MUST be preserved for any updates or 1312 transfer of the same object reference. UUID version 4 is RECOMMENDED 1313 when assigning it to a new object reference. 1315 2.7.2.2. id 1317 id represents the human-readable identifier associated to the object 1318 reference for a specific MISP instance. 1320 id is represented as a JSON string. id SHALL be present. 1322 2.7.2.3. timestamp 1324 timestamp represents a reference time when the object was created or 1325 last modified. timestamp is expressed in seconds (decimal) since 1st 1326 of January 1970 (Unix timestamp). The time zone MUST be UTC. 1328 timestamp is represented as a JSON string. timestamp MUST be present. 1330 2.7.2.4. object_id 1332 object_id represents the human-readable identifier of the object that 1333 the object reference belongs to on a specific MISP instance. A 1334 human-readable identifier MUST be represented as an unsigned integer. 1336 event_id is represented as a JSON string. event_id SHALL be present. 1338 2.7.2.5. event_id 1340 event_id represents the human-readable identifier of the event that 1341 the object reference belongs to on a specific MISP instance. A 1342 human-readable identifier MUST be represented as an unsigned integer. 1344 event_id is represented as a JSON string. event_id SHALL be present. 1346 2.7.2.6. referenced_id 1348 referenced_id represents the human-readable identifier of the object 1349 or attribute that the parent object of the object reference points to 1350 on a specific MISP instance. 1352 referenced_id is represented as a JSON string. referenced_id MAY be 1353 present. 1355 2.7.2.7. referenced_type 1357 referenced_type represents the numeric value describing what the 1358 object reference points to, "0" representing an attribute and "1" 1359 representing an object 1361 referenced_type is represented as a JSON string. referenced_type MAY 1362 be present. 1364 2.7.2.8. relationship_type 1366 relationship_type represents the human-readable context of the 1367 relationship between an object and another object or attribute as 1368 described by the object_reference. 1370 referenced_type is represented as a JSON string. relationship_type 1371 MUST be present. 1373 2.7.2.9. comment 1375 comment is a contextual comment field. 1377 comment is represented by a JSON string. comment MAY be present. 1379 2.7.2.10. deleted 1381 deleted represents a setting that allows object references to be 1382 revoked. Revoked object references are not actionable and exist 1383 merely to inform other instances of a revocation. 1385 deleted is represented by a JSON boolean. deleted MUST be present. 1387 2.7.2.11. object_uuid 1389 object_uuid represents the Universally Unique IDentifier (UUID) 1390 [RFC4122] of the object that the given object reference belongs to. 1391 The object_uuid MUST be preserved to preserve the object reference's 1392 association with the object. 1394 2.7.2.12. referenced_uuid 1396 referenced_uuid represents the Universally Unique IDentifier (UUID) 1397 [RFC4122] of the object or attribute that is being referenced by the 1398 object reference. The referenced_uuid MUST be preserved to preserve 1399 the object reference's association with the object or attribute. 1401 2.8. EventReport 1403 EventReport are used to complement an event with one or more report 1404 in Markdown format. The EventReport contains unstructured 1405 information which can be linked to Attributes, Objects, Tags or 1406 Galaxy with an extension to the Markdown marking language. 1408 2.8.1. id 1410 id represents the human-readable identifier associated to the 1411 EventReport for a specific MISP instance. A human-readable 1412 identifier MUST be represented as an unsigned integer. 1414 id is represented as a JSON string. id SHALL be present. 1416 2.8.2. UUID 1418 uuid represents the Universally Unique IDentifier (UUID) [RFC4122] of 1419 the EventReport. The uuid MUST be preserved for any updates or 1420 transfer of the same EventReport. UUID version 4 is RECOMMENDED when 1421 assigning it to a new EventReport. 1423 uuid is represented as a JSON string. uuid MUST be present. 1425 2.8.3. event_id 1427 event_id represents the human-readable identifier associating the 1428 EventReport to an event on a specific MISP instance. A human- 1429 readable identifier MUST be represented as an unsigned integer. 1431 event_id is represented as a JSON string. event_id MUST be present. 1433 2.8.4. name 1435 name represents the information field of the EventReport. name is a 1436 free-text value to provide a human-readable summary of the report. 1437 name SHOULD NOT be bigger than 256 characters and SHOULD NOT include 1438 new-lines. 1440 name is represented as a JSON string. name MUST be present. 1442 2.8.5. content 1444 content includes the raw EventReport in Markdown format with or 1445 without the specific MISP Markdown markup extension. 1447 The markdown extension for MISP is composed with a symbol as prefix 1448 then between square bracket the scope (attribute, object, tag or 1449 galaxymatrix) followed by the UUID in parenthesis. 1451 content is represented as a JSON string. content MUST be present. 1453 2.8.6. distribution 1455 distribution represents the basic distribution rules of the 1456 EventReport. The system must adhere to the distribution setting for 1457 access control and for dissemination of the EventReport. 1459 distribution is represented by a JSON string. distribution MUST be 1460 present and be one of the following options: 1462 0 1463 Your Organisation Only 1465 1 1466 This Community Only 1468 2 1469 Connected Communities 1471 3 1472 All Communities 1474 4 1475 Sharing Group 1477 5 1478 Inherit Event 1480 2.8.7. sharing_group_id 1482 sharing_group_id represents the local id to the MISP local instance 1483 of the Sharing Group associated for the distribution. 1485 sharing_group_id is represented by a JSON string. sharing_group_id 1486 MUST be present and set to "0" if not used. 1488 2.8.8. timestamp 1490 timestamp represents a reference time when the EventReport was 1491 created or last modified. timestamp is expressed in seconds (decimal) 1492 since 1st of January 1970 (Unix timestamp). The time zone MUST be 1493 UTC. 1495 timestamp is represented as a JSON string. timestamp MUST be present. 1497 2.8.9. deleted 1499 deleted represents a setting that allows EventReport to be revoked. 1500 Revoked EventReport are not actionable and exist merely to inform 1501 other instances of a revocation. 1503 deleted is represented by a JSON boolean. deleted MUST be present. 1505 2.9. Tag 1507 A tag is a simple method to classify an event with a simple string. 1508 The tag name can be freely chosen. The tag name can be also chosen 1509 from a fixed machine-tag vocabulary called MISP taxonomies[[MISP-T]]. 1510 When an event is distributed outside an organisation, the use of MISP 1511 taxonomies[[MISP-T]] is RECOMMENDED to ensure a coherent naming of 1512 the tags. A tag is represented as a JSON array where each element 1513 describes each tag associated. A tag array SHALL be at event level 1514 or attribute level. A tag element is described with a name, id, 1515 colour and exportable flag. 1517 exportable represents a setting if the tag is kept local or 1518 exportable to other MISP instances. exportable is represented by a 1519 JSON boolean. id is a human-readable identifier that references the 1520 tag on the local instance. colour represents an RGB value of the tag. 1522 name MUST be present. colour, id and exportable SHALL be present. 1524 2.9.1. Sample Tag 1526 "Tag": [{ 1527 "exportable": true, 1528 "colour": "#ffffff", 1529 "name": "tlp:white", 1530 "id": "2" }] 1532 2.10. Sighting 1534 A sighting is an ascertainment which describes whether an attribute 1535 has been seen under a given set of conditions. The sighting can 1536 include the organisation who sighted the attribute or can be 1537 anonymised. Sighting is composed of a JSON array in which each 1538 element describes one singular instance of a sighting. A sighting 1539 element is a JSON object composed of the following values: 1541 type MUST be present. type describes the type of a sighting. MISP 1542 allows 3 default types: 1544 +------------+------------------------------------------------------+ 1545 | Sighting | Description | 1546 | type | | 1547 +------------+------------------------------------------------------+ 1548 | 0 | denotes an attribute which has been seen | 1549 | 1 | denotes an attribute which has been seen and | 1550 | | confirmed as false-positive | 1551 | 2 | denotes an attribute which will be expired at the | 1552 | | time of the sighting | 1553 +------------+------------------------------------------------------+ 1555 uuid MUST be present. uuid references the uuid of the sighted 1556 attribute. 1558 date_sighting MUST be present. date_sighting is expressed in seconds 1559 (decimal) elapsed since 1st of January 1970 (Unix timestamp). 1560 date_sighting represents when the referenced attribute, designated by 1561 its uuid, is sighted. 1563 source MAY be present. source is represented as a JSON string and 1564 represents the human-readable version of the sighting source, which 1565 can be a given piece of software (e.g. SIEM), device or a specific 1566 analytical process. 1568 id, event_id and attribute_id MAY be present. 1570 id represents the human-readable identifier of the sighting reference 1571 which belongs to a specific MISP instance. event_id represents the 1572 human-readable identifier of the event referenced by the sighting and 1573 belongs to a specific MISP instance. attribute_id represents the 1574 human-readable identifier of the attribute referenced by the sighting 1575 and belongs to a specific MISP instance. 1577 org_id MAY be present along the JSON object describing the 1578 organisation. If the org_id is not present, the sighting is 1579 considered as anonymised. 1581 org_id represents the human-readable identifier of the organisation 1582 which did the sighting and belongs to a specific MISP instance. 1584 A human-readable identifier MUST be represented as an unsigned 1585 integer. 1587 2.10.1. Sample Sighting 1588 "Sighting": [ 1589 { 1590 "id": "13599", 1591 "attribute_id": "1201615", 1592 "event_id": "10164", 1593 "org_id": "2", 1594 "date_sighting": "1517581400", 1595 "uuid": "5a747459-41b4-4826-9b29-42dd950d210f", 1596 "source": "M2M-CIRCL", 1597 "type": "0", 1598 "Organisation": { 1599 "id": "2", 1600 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1601 "name": "CIRCL" 1602 } 1603 }, 1604 { 1605 "id": "13601", 1606 "attribute_id": "1201615", 1607 "event_id": "10164", 1608 "org_id": "2", 1609 "date_sighting": "1517581401", 1610 "uuid": "5a74745a-a190-4d04-b719-4916950d210f", 1611 "source": "M2M-CIRCL", 1612 "type": "0", 1613 "Organisation": { 1614 "id": "2", 1615 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f", 1616 "name": "CIRCL" 1617 } 1618 } 1619 ] 1621 2.11. Galaxy 1623 A galaxy is a simple method to express a large object called cluster 1624 that can be attached to MISP events. A cluster can be composed of 1625 one or more elements. Elements are expressed as key-values. 1627 2.11.1. Sample Galaxy 1628 "Galaxy": [ { 1629 "id": "18", 1630 "uuid": "698774c7-8022-42c4-917f-8d6e4f06ada3", 1631 "name": "Threat Actor", 1632 "type": "threat-actor", 1633 "description": "Threat actors are characteristics of malicious actors 1634 (or adversaries) representing a cyber attack threat 1635 including presumed intent and historically observed behaviour.", 1636 "version": "1", 1637 "GalaxyCluster": [ 1638 { 1639 "id": "1699", 1640 "uuid": "7cdff317-a673-4474-84ec-4f1754947823", 1641 "type": "threat-actor", 1642 "value": "Anunak", 1643 "tag_name": "misp-galaxy:threat-actor=\"Anunak\"", 1644 "description": "Groups targeting financial organizations 1645 or people with significant financial assets.", 1646 "galaxy_id": "18", 1647 "source": "MISP Project", 1648 "authors": [ 1649 "Alexandre Dulaunoy", 1650 "Florian Roth", 1651 "Thomas Schreck", 1652 "Timo Steffens", 1653 "Various" 1654 ], 1655 "tag_id": "111", 1656 "meta": { 1657 "synonyms": [ 1658 "Carbanak", 1659 "Carbon Spider" 1660 ], 1661 "country": [ 1662 "RU" 1663 ], 1664 "motive": [ 1665 "Cybercrime" 1666 ] 1667 } 1668 } 1669 ] 1670 } 1671 ] 1673 3. JSON Schema 1675 The JSON Schema [JSON-SCHEMA] below defines the structure of the MISP 1676 core format as literally described before. The JSON Schema is used 1677 to validate MISP events at creation time or parsing. 1679 { 1680 "$schema": "http://json-schema.org/draft-04/schema#", 1681 "title": "Validator for misp events", 1682 "id": "https://github.com/MISP/MISP/blob/2.4/format/2.4/schema.json", 1683 "defs": { 1684 "org": { 1685 "type": "object", 1686 "additionalProperties": false, 1687 "properties": { 1688 "id": { 1689 "type": "string" 1690 }, 1691 "name": { 1692 "type": "string" 1693 }, 1694 "uuid": { 1695 "type": "string" 1696 } 1697 }, 1698 "required": [ 1699 "uuid" 1700 ] 1701 }, 1702 "orgc": { 1703 "type": "object", 1704 "additionalProperties": false, 1705 "properties": { 1706 "id": { 1707 "type": "string" 1708 }, 1709 "name": { 1710 "type": "string" 1711 }, 1712 "uuid": { 1713 "type": "string" 1714 } 1715 }, 1716 "required": [ 1717 "uuid" 1718 ] 1719 }, 1720 "sharing_group": { 1721 "type": "object", 1722 "additionalProperties": false, 1723 "properties": { 1724 "id": { 1725 "type": "string" 1726 }, 1727 "name": { 1728 "type": "string" 1729 }, 1730 "releasability": { 1731 "type": "string" 1732 }, 1733 "description": { 1734 "type": "string" 1735 }, 1736 "uuid": { 1737 "type": "string" 1738 }, 1739 "organisation_uuid": { 1740 "type": "string" 1741 }, 1742 "org_id": { 1743 "type": "string" 1744 }, 1745 "sync_user_id": { 1746 "type": "string" 1747 }, 1748 "active": { 1749 "type": "boolean" 1750 }, 1751 "created": { 1752 "type": "string" 1753 }, 1754 "modified": { 1755 "type": "string" 1756 }, 1757 "local": { 1758 "type": "boolean" 1759 }, 1760 "roaming": { 1761 "type": "boolean" 1762 }, 1763 "Organisation": { 1764 "$ref": "#/defs/org" 1765 }, 1766 "SharingGroupOrg": { 1767 "type": "array", 1768 "uniqueItems": true, 1769 "items": { 1770 "$ref": "#/defs/sharing_group_org" 1771 } 1772 }, 1773 "SharingGroupServer": { 1774 "type": "array", 1775 "uniqueItems": true, 1776 "items": { 1777 "$ref": "#/defs/sharing_group_server" 1778 } 1779 }, 1780 "required": [ 1781 "uuid" 1782 ] 1783 }, 1784 "required": [ 1785 "uuid" 1786 ] 1787 }, 1788 "sharing_group_org": { 1789 "type": "object", 1790 "additionalProperties": false, 1791 "properties": { 1792 "id": { 1793 "type": "string" 1794 }, 1795 "sharing_group_id": { 1796 "type": "string" 1797 }, 1798 "org_id": { 1799 "type": "string" 1800 }, 1801 "extend": { 1802 "type": "boolean" 1803 }, 1804 "Organisation": { 1805 "$ref": "#/defs/org" 1806 } 1807 } 1808 }, 1809 "sharing_group_server": { 1810 "type": "object", 1811 "additionalProperties": false, 1812 "properties": { 1813 "id": { 1814 "type": "string" 1815 }, 1816 "sharing_group_id": { 1817 "type": "string" 1818 }, 1819 "server_id": { 1820 "type": "string" 1821 }, 1822 "all_orgs": { 1823 "type": "boolean" 1824 }, 1825 "Server": { 1826 "$ref": "#/defs/server" 1827 } 1828 } 1829 }, 1830 "server": { 1831 "type": "object", 1832 "additionalProperties": false, 1833 "properties": { 1834 "id": { 1835 "type": "string" 1836 }, 1837 "url": { 1838 "type": "string" 1839 }, 1840 "name": { 1841 "type": "string" 1842 } 1843 } 1844 }, 1845 "object": { 1846 "type": "object", 1847 "additionalProperties": false, 1848 "properties": { 1849 "uuid": { 1850 "type": "string" 1851 }, 1852 "name": { 1853 "type": "string" 1854 }, 1855 "event_id": { 1856 "type": "string" 1857 }, 1858 "description": { 1859 "type": "string" 1860 }, 1861 "template_uuid": { 1862 "type": "string" 1863 }, 1864 "template_version": { 1865 "type": "string" 1866 }, 1867 "id": { 1868 "type": "string" 1869 }, 1870 "meta-category": { 1871 "type": "string" 1872 }, 1873 "deleted": { 1874 "type": "boolean" 1875 }, 1876 "timestamp": { 1877 "type": "string" 1878 }, 1879 "first_seen": { 1880 "type": "string" 1881 }, 1882 "last_seen": { 1883 "type": "string" 1884 }, 1885 "distribution": { 1886 "type": "string" 1887 }, 1888 "sharing_group_id": { 1889 "type": "string" 1890 }, 1891 "comment": { 1892 "type": "string" 1893 }, 1894 "ObjectReference": { 1895 "type": "array", 1896 "uniqueItems": true, 1897 "items": { 1898 "$ref": "#/defs/objectreference" 1899 } 1900 }, 1901 "Attribute": { 1902 "type": "array", 1903 "uniqueItems": true, 1904 "items": { 1905 "$ref": "#/defs/attribute" 1906 } 1907 } 1908 } 1909 }, 1910 "sighthing": { 1911 "type": "object", 1912 "additionalProperties": false, 1913 "properties": { 1914 "id": { 1915 "type": "string" 1916 }, 1917 "attribute_id": { 1918 "type": "string" 1919 }, 1920 "event_id": { 1921 "type": "string" 1922 }, 1923 "source": { 1924 "type": "string" 1925 }, 1926 "type": { 1927 "type": "string" 1928 }, 1929 "org_id": { 1930 "type": "string" 1931 }, 1932 "date_sighting": { 1933 "type": "string" 1934 }, 1935 "uuid": { 1936 "type": "string" 1937 }, 1938 "Organisation": { 1939 "$ref": "#/defs/organisation" 1940 } 1941 } 1942 }, 1943 "organisation": { 1944 "type": "object", 1945 "additionalProperties": false, 1946 "properties": { 1947 "id": { 1948 "type": "string" 1949 }, 1950 "uuid": { 1951 "type": "string" 1952 }, 1953 "name": { 1954 "type": "string" 1955 } 1956 } 1957 }, 1958 "objectreference": { 1959 "type": "object", 1960 "additionalProperties": false, 1961 "properties": { 1962 "deleted": { 1963 "type": "boolean" 1964 }, 1965 "object_id": { 1966 "type": "string" 1967 }, 1968 "event_id": { 1969 "type": "string" 1970 }, 1971 "timestamp": { 1972 "type": "string" 1973 }, 1974 "id": { 1975 "type": "string" 1976 }, 1977 "uuid": { 1978 "type": "string" 1979 }, 1980 "type": { 1981 "type": "string" 1982 }, 1983 "referenced_id": { 1984 "type": "string" 1985 }, 1986 "referenced_uuid": { 1987 "type": "string" 1988 }, 1989 "referenced_type": { 1990 "type": "string" 1991 }, 1992 "relationship_type": { 1993 "type": "string" 1994 }, 1995 "object_uuid": { 1996 "type": "string" 1997 }, 1998 "comment": { 1999 "type": "string" 2000 }, 2001 "Object": { 2002 "$ref": "#/defs/object" 2003 } 2004 } 2005 }, 2006 "attribute": { 2007 "type": "object", 2008 "additionalProperties": false, 2009 "properties": { 2010 "id": { 2011 "type": "string" 2012 }, 2013 "old_id": { 2014 "type": "string" 2015 }, 2016 "type": { 2017 "type": "string" 2018 }, 2019 "category": { 2020 "type": "string" 2021 }, 2022 "to_ids": { 2023 "type": "boolean" 2024 }, 2025 "uuid": { 2026 "type": "string" 2027 }, 2028 "event_id": { 2029 "type": "string" 2030 }, 2031 "event_uuid": { 2032 "type": "string" 2033 }, 2034 "proposal_to_delete": { 2035 "type": "boolean" 2036 }, 2037 "validationIssue": { 2038 "type": "boolean" 2039 }, 2040 "Org": { 2041 "$ref": "#/defs/organisation" 2042 }, 2043 "org_id": { 2044 "type": "string" 2045 }, 2046 "distribution": { 2047 "type": "string" 2048 }, 2049 "timestamp": { 2050 "type": "string" 2051 }, 2052 "first_seen": { 2053 "type": "string" 2054 }, 2055 "last_seen": { 2056 "type": "string" 2058 }, 2059 "comment": { 2060 "type": "string" 2061 }, 2062 "sharing_group_id": { 2063 "type": "string" 2064 }, 2065 "deleted": { 2066 "type": "boolean" 2067 }, 2068 "disable_correlation": { 2069 "type": "boolean" 2070 }, 2071 "value": { 2072 "type": "string" 2073 }, 2074 "data": { 2075 "type": "string" 2076 }, 2077 "object_relation": { 2078 "type": ["string", "null"] 2079 }, 2080 "object_id": { 2081 "type": "string" 2082 }, 2083 "SharingGroup": { 2084 "$ref": "#/defs/sharing_group" 2085 }, 2086 "ShadowAttribute": { 2087 "type": "array", 2088 "uniqueItems": true, 2089 "items": { 2090 "$ref": "#/defs/attribute" 2091 } 2092 }, 2093 "Sighting": { 2094 "type": "array", 2095 "uniqueItems": true, 2096 "items": { 2097 "$ref": "#/defs/sighthing" 2098 } 2099 }, 2100 "Galaxy": { 2101 "type": "array", 2102 "uniqueItems": true, 2103 "items": { 2104 "$ref": "#/defs/galaxy" 2105 } 2107 }, 2108 "Tag": { 2109 "uniqueItems": true, 2110 "type": "array", 2111 "items": { 2112 "$ref": "#/defs/tag" 2113 } 2114 } 2115 } 2116 }, 2117 "event": { 2118 "type": "object", 2119 "additionalProperties": false, 2120 "properties": { 2121 "id": { 2122 "type": "string" 2123 }, 2124 "orgc_id": { 2125 "type": "string" 2126 }, 2127 "org_id": { 2128 "type": "string" 2129 }, 2130 "date": { 2131 "type": "string" 2132 }, 2133 "extends_uuid": { 2134 "type": "string" 2135 }, 2136 "threat_level_id": { 2137 "type": "string" 2138 }, 2139 "info": { 2140 "type": "string" 2141 }, 2142 "published": { 2143 "type": "boolean" 2144 }, 2145 "uuid": { 2146 "type": "string" 2147 }, 2148 "attribute_count": { 2149 "type": "string" 2150 }, 2151 "analysis": { 2152 "type": "string" 2153 }, 2154 "timestamp": { 2155 "type": "string" 2156 }, 2157 "distribution": { 2158 "type": "string" 2159 }, 2160 "proposal_email_lock": { 2161 "type": "boolean" 2162 }, 2163 "locked": { 2164 "type": "boolean" 2165 }, 2166 "publish_timestamp": { 2167 "type": "string" 2168 }, 2169 "sharing_group_id": { 2170 "type": "string" 2171 }, 2172 "disable_correlation": { 2173 "type": "boolean" 2174 }, 2175 "event_creator_email": { 2176 "type": "string" 2177 }, 2178 "Org": { 2179 "$ref": "#/defs/org" 2180 }, 2181 "Orgc": { 2182 "$ref": "#/defs/org" 2183 }, 2184 "SharingGroup": { 2185 "$ref": "#/defs/sharing_group" 2186 }, 2187 "Attribute": { 2188 "type": "array", 2189 "uniqueItems": true, 2190 "items": { 2191 "$ref": "#/defs/attribute" 2192 } 2193 }, 2194 "ShadowAttribute": { 2195 "type": "array", 2196 "uniqueItems": true, 2197 "items": { 2198 "$ref": "#/defs/attribute" 2199 } 2200 }, 2201 "RelatedEvent": { 2202 "type": "array", 2203 "uniqueItems": true, 2204 "items": { 2205 "type": "object", 2206 "additionalProperties": false, 2207 "properties": { 2208 "Event":{ 2209 "$ref": "#/defs/event" 2210 } 2211 } 2212 } 2213 }, 2214 "Galaxy": { 2215 "type": "array", 2216 "uniqueItems": true, 2217 "items": { 2218 "$ref": "#/defs/galaxy" 2219 } 2220 }, 2221 "Object": { 2222 "type": "array", 2223 "uniqueItems": true, 2224 "items": { 2225 "$ref": "#/defs/object" 2226 } 2227 }, 2228 "Tag": { 2229 "type": "array", 2230 "uniqueItems": true, 2231 "items": { 2232 "$ref": "#/defs/tag" 2233 } 2234 } 2235 } 2236 }, 2237 "tag": { 2238 "type": "object", 2239 "additionalProperties": false, 2240 "properties": { 2241 "id": { 2242 "type": "string" 2243 }, 2244 "name": { 2245 "type": "string" 2246 }, 2247 "colour": { 2248 "type": "string" 2249 }, 2250 "exportable": { 2251 "type": "boolean" 2252 }, 2253 "hide_tag": { 2254 "type": "boolean" 2255 }, 2256 "user_id": { 2257 "type": "string" 2258 } 2259 } 2260 }, 2261 "galaxy": { 2262 "type": "object", 2263 "additionalProperties": false, 2264 "properties": { 2265 "id": { 2266 "type": "string" 2267 }, 2268 "uuid": { 2269 "type": "string" 2270 }, 2271 "name": { 2272 "type": "string" 2273 }, 2274 "type": { 2275 "type": "string" 2276 }, 2277 "description": { 2278 "type": "string" 2279 }, 2280 "version": { 2281 "type": "string" 2282 }, 2283 "icon": { 2284 "type": "string" 2285 }, 2286 "namespace": { 2287 "type": "string" 2288 }, 2289 "GalaxyCluster": { 2290 "type": "array", 2291 "uniqueItems": true, 2292 "items": { 2293 "$ref": "#/defs/galaxy_cluster" 2294 } 2295 } 2296 } 2297 }, 2298 "galaxy_cluster": { 2299 "type": "object", 2300 "additionalProperties": false, 2301 "properties": { 2302 "id": { 2303 "type": "string" 2304 }, 2305 "uuid": { 2306 "type": "string" 2307 }, 2308 "type": { 2309 "type": "string" 2310 }, 2311 "value": { 2312 "type": "string" 2313 }, 2314 "tag_name": { 2315 "type": "string" 2316 }, 2317 "description": { 2318 "type": "string" 2319 }, 2320 "galaxy_id": { 2321 "type": "string" 2322 }, 2323 "version": { 2324 "type": "string" 2325 }, 2326 "source": { 2327 "type": "string" 2328 }, 2329 "authors": { 2330 "type": "array", 2331 "uniqueItems": true, 2332 "items": { 2333 "type": "string" 2334 } 2335 }, 2336 "tag_id": { 2337 "type": "string" 2338 }, 2339 "meta": { 2340 "type": "object" 2341 } 2342 } 2343 } 2344 }, 2345 "type": "object", 2346 "properties": { 2347 "Event": { 2348 "$ref": "#/defs/event" 2349 } 2350 }, 2351 "required": [ 2352 "Event" 2353 ] 2354 } 2356 4. Manifest 2358 MISP events can be shared over an HTTP repository, a file package or 2359 USB key. A manifest file is used to provide an index of MISP events 2360 allowing to only fetch the recently updated files without the need to 2361 parse each json file. 2363 4.1. Format 2365 A manifest file is a simple JSON file named manifest.json in a 2366 directory where the MISP events are located. Each MISP event is a 2367 file located in the same directory with the event uuid as filename 2368 with the json extension. 2370 The manifest format is a JSON object composed of a dictionary where 2371 the field is the uuid of the event. 2373 Each uuid is composed of a JSON object with the following fields 2374 which came from the original event referenced by the same uuid: 2376 o info (MUST) 2378 o Orgc object (MUST) 2380 o analysis (SHALL) 2382 o timestamp (MUST) 2384 o date (MUST) 2386 o threat_level_id (SHALL) 2388 In addition to the fields originating from the event, the following 2389 fields can be added: 2391 o integrity:sha256 represents the SHA256 value in hexadecimal 2392 representation of the associated MISP event file to ensure 2393 integrity of the file. (SHOULD) 2395 o integrity:pgp represents a detached PGP signature [RFC4880] of the 2396 associated MISP event file to ensure integrity of the file. 2397 (SHOULD) 2399 If a detached PGP signature is used for each MISP event, a detached 2400 PGP signature is a MUST to ensure integrity of the manifest file. A 2401 detached PGP signature for a manifest file is a manifest.json.asc 2402 file containing the PGP signature. 2404 4.1.1. Sample Manifest 2406 { 2407 "57c6ac4c-c60c-4f79-a38f-b666950d210f": { 2408 "info": "Malspam 2016-08-31 (.wsf in .zip) - campaign: Photo", 2409 "Orgc": { 2410 "id": "2", 2411 "name": "CIRCL", 2412 "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" 2413 }, 2414 "analysis": "0", 2415 "Tag": [ 2416 { 2417 "colour": "#3d7a00", 2418 "name": "circl:incident-classification=\"malware\"" 2419 }, 2420 { 2421 "colour": "#ffffff", 2422 "name": "tlp:white" 2423 } 2424 ], 2425 "timestamp": "1472638251", 2426 "date": "2016-08-31", 2427 "threat_level_id": "3" 2428 }, 2429 "5720accd-dd28-45f8-80e5-4605950d210f": { 2430 "info": "Malspam 2016-04-27 - Locky", 2431 "Orgc": { 2432 "id": "2", 2433 "name": "CIRCL" 2434 }, 2435 "analysis": "2", 2436 "Tag": [ 2437 { 2438 "colour": "#ffffff", 2439 "name": "tlp:white" 2440 }, 2441 { 2442 "colour": "#3d7a00", 2443 "name": "circl:incident-classification=\"malware\"" 2444 }, 2445 { 2446 "colour": "#2c4f00", 2447 "name": "malware_classification:malware-category=\"Ransomware\"" 2448 } 2449 ], 2450 "timestamp": "1461764231", 2451 "date": "2016-04-27", 2452 "threat_level_id": "3" 2453 } 2454 } 2456 5. Implementation 2458 MISP format is implemented by different software including the MISP 2459 threat sharing platform and libraries like PyMISP [MISP-P]. 2460 Implementations use the format as an export/import mechanism, staging 2461 transport format or synchronisation format as used in the MISP core 2462 platform. MISP format doesn't impose any restriction on the data 2463 representation of the format in data-structure of other 2464 implementations. 2466 6. Security Considerations 2468 MISP events might contain sensitive or confidential information. 2469 Adequate access control and encryption measures shall be implemented 2470 to ensure the confidentiality of the MISP events. 2472 Adversaries might include malicious content in MISP events and 2473 attributes. Implementation MUST consider the input of malicious 2474 inputs beside the standard threat information that might already 2475 include malicious intended inputs. 2477 7. Acknowledgements 2479 The authors wish to thank all the MISP community who are supporting 2480 the creation of open standards in threat intelligence sharing. A 2481 special thank to Nicolas Bareil for the review of the JSON Schema. 2483 8. References 2485 9. References 2486 9.1. Normative References 2488 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 2489 Requirement Levels", BCP 14, RFC 2119, 2490 DOI 10.17487/RFC2119, March 1997, 2491 . 2493 [RFC4122] Leach, P., Mealling, M., and R. Salz, "A Universally 2494 Unique IDentifier (UUID) URN Namespace", RFC 4122, 2495 DOI 10.17487/RFC4122, July 2005, 2496 . 2498 [RFC4880] Callas, J., Donnerhacke, L., Finney, H., Shaw, D., and R. 2499 Thayer, "OpenPGP Message Format", RFC 4880, 2500 DOI 10.17487/RFC4880, November 2007, 2501 . 2503 [RFC8259] Bray, T., Ed., "The JavaScript Object Notation (JSON) Data 2504 Interchange Format", STD 90, RFC 8259, 2505 DOI 10.17487/RFC8259, December 2017, 2506 . 2508 9.2. Informative References 2510 [JSON-SCHEMA] 2511 "JSON Schema: A Media Type for Describing JSON Documents", 2512 2016, 2513 . 2515 [MISP-P] MISP, "MISP Project - Open Source Threat Intelligence 2516 Platform and Open Standards For Threat Information 2517 Sharing", . 2519 [MISP-R] MISP, "MISP Object Relationship Types - common vocabulary 2520 of relationships", . 2523 [MISP-T] MISP, "MISP Taxonomies - shared and common vocabularies of 2524 tags", . 2526 Authors' Addresses 2527 Alexandre Dulaunoy 2528 Computer Incident Response Center Luxembourg 2529 16, bd d'Avranches 2530 Luxembourg L-1160 2531 Luxembourg 2533 Phone: +352 247 88444 2534 Email: alexandre.dulaunoy@circl.lu 2536 Andras Iklody 2537 Computer Incident Response Center Luxembourg 2538 16, bd d'Avranches 2539 Luxembourg L-1160 2540 Luxembourg 2542 Phone: +352 247 88444 2543 Email: andras.iklody@circl.lu